["Mark Holloway" <mholloway@xxxxxxxxxxxxxxxxxxx>]

Thank you Guy for the great explanation.  Thank you Ian for the quick
tutorial.  I just tried it and it works fantastic.  I agree that filters
are the most powerful (and useful) part of a network analyzer. 

My company uses Fluke and I want to croak every time I see how much the
old network engineer (who is no longer here) paid for this thing.  The
company bought OptiView PSVS which is the Integrated Network Analyzer,
Protocol Expert, OptiView Reporter, and Network Inspector (now called
OptiView Console) for somewhere around $25,000.  This is totally insane!
We're up for maintenance renewal and the cost is $3,999 for 1 year.. 



 Thanks again!

-m



-----Original Message-----
From: Ian Schorr [mailto:spamcontrol2@xxxxxxxxxxx] 
Sent: Tuesday, July 15, 2003 4:57 PM
To: Mark Holloway
Subject: Re: [Ethereal-users] Auto Falgging

Easy to do in Ethereal provided that you can build a filter that will 
match the symptom or event that you're looking for.  I do this all the 
time to find interesting events.

To use your example, you'd do this to mark all TCP ACKs that took longer

than 50ms to occur in a red text (bold or not-bold isn't possible, I 
don't believe, except as an application-wide preference):

First, make sure you can filter on tcp acknowledgement times by enabling

TCP sequence number analysis under Preferences->Protocols->TCP.
Go to Display->Colorize Display (which won't be an option until you have

a capture loaded)
Click "New"
Name:  <Anything you want, let's say "TCP Ack > 50ms">
String: tcp.analysis.ack_rtt > .05
Click "Foreground Color" and set the color to red.  Hit OK.
The text in the boxes should change to preview what the text in your 
matching frames will look like.
Remember to Save if this is something you want to keep on all the time, 
then hit OK again.

I actually tend to use background colors (red, green, etc) when marking 
interesting events since they're better visual cues as I'm walking 
through a trace.  (For example, I usually have a "tcp.analysis.flags" 
color filter set with a pure red background and pure white text, though 
sometimes that marks TOO much).

Remember also that color filters are processed in order, and the first 
matching color filter is the one used.  For example, if you have a color

filter of "tcp" already set to mark all TCP segments blue, let's say, 
and your "interesting event" filter from above ends up being lower in 
the list, then your "interesting event" frames will be marked blue, not
red.

This is one of the most powerful features (as a direct result of filters

being so powerful).  I guarantee Fluke doesn't give you this level of 
control, though they may be able to mark a few more "diagnosed events" 
than Ethereal is able to...

Ian

Mark Holloway wrote:

>I'm wondering if there is a way to have ethereal flag certain packets
>after a capture.  For example in Fluke Protocol Expert I can tell it to
>flag packets that are longer than 50ms ack times.  When I'm done with
>the capture I know that whatever is in bold red is +50ms.  It makes it
>easier for me when I need to print out a capture and review it with
>other engineers.  This is not a really important thing, but would be
>nice.  Thanks. 
>
>Regards,
>Mark Holloway
>Sr. Network Engineer - Arclight Systems
>702-253-3861 // mobile 702.349.6170
>
>_______________________________________________
>Ethereal-users mailing list
>Ethereal-users@xxxxxxxxxxxx
>http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>  
>